integ/security/tboot/centos/meta_patches/0003-security-set-immutable-attribute.patch

From 15d8e3a327bc4ee96845163f962837cfcb4699bb Mon Sep 17 00:00:00 2001
From: Kam Nasim <kam.nasim@windriver.com>
Date: Tue, 6 Feb 2018 15:25:00 -0500
Subject: [PATCH] CGTS-8849: Security: Set immutable attribute and permissions

---
 SPECS/tboot.spec | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/SPECS/tboot.spec b/SPECS/tboot.spec
index f04dd17..1673095 100644
--- a/SPECS/tboot.spec
+++ b/SPECS/tboot.spec
@@ -75,6 +75,13 @@ if [ -e "/sys/firmware/efi" ]; then
 	exit 0;
 fi
 
+# On updating this package, we want to clear the immutable
+# attribute so that the module files can get overwritten
+if [ $1 -gt 1 ]; then
+    chattr -i /boot/tboot.gz /boot/tboot-syms
+fi
+exit 0
+
 %install
 rm -rf $RPM_BUILD_ROOT
 make debug=y DISTDIR=$RPM_BUILD_ROOT install
@@ -82,6 +89,11 @@ make debug=y DISTDIR=$RPM_BUILD_ROOT install
 %clean
 rm -rf $RPM_BUILD_ROOT
 
+%post
+# Set immutable attribute on tboot modules
+chattr +i /boot/tboot.gz /boot/tboot-syms
+exit 0
+
 %files
 %defattr(-,root,root,-)
 %doc README COPYING docs/* lcptools/lcptools2.txt lcptools/Linux_LCP_Tools_User_Manual.pdf
@@ -118,8 +130,8 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/lcp_writepol.8.gz
 %{_mandir}/man8/tb_polgen.8.gz
 %{_mandir}/man8/txt-stat.8.gz
-/boot/tboot.gz
-/boot/tboot-syms
+%attr(0400,root,root) /boot/tboot.gz
+%attr(0400,root,root) /boot/tboot-syms
 
 %changelog
 * Mon Jul 16 2018 Tony Camuso <tcamuso@redhat.com> - 1:1.9.6-3
-- 
2.7.4